CN110572412A - Firewall based on intrusion detection system feedback in cloud environment and implementation method thereof - Google Patents
Firewall based on intrusion detection system feedback in cloud environment and implementation method thereof Download PDFInfo
- Publication number
- CN110572412A CN110572412A CN201910903978.1A CN201910903978A CN110572412A CN 110572412 A CN110572412 A CN 110572412A CN 201910903978 A CN201910903978 A CN 201910903978A CN 110572412 A CN110572412 A CN 110572412A
- Authority
- CN
- China
- Prior art keywords
- firewall
- ids
- snort
- filtering
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
the invention discloses a firewall based on intrusion detection system feedback in cloud environment and a realization method thereof, wherein the firewall comprises a firewall part and an IDS part; the firewall part filters the network data for the first time according to the filtering rule; the IDS part further filters data passing through the firewall, and the screening is based on IDS filtering rules; the filtering strategy of the firewall part is updated through the feedback information of the IDS part in the system. The invention combines the firewall and the Intrusion Detection System (IDS), and implements interlocking with the firewall through the IDS, the defense of the attack is divided into two parts, and the defense work is naturally divided into two parts. The firewall part is used for coarse-grained defense, the IDS part is used for fine-grained analysis of grouping information, double-layer defense is more effective and accurate, defense attack is separated from the cloud service server, the quality of cloud service is not influenced, and response delay of the cloud service is reduced; the IDS-based feedback change rule is adopted, so that the attack can be flexibly detected.
Description
Technical Field
the invention belongs to the technical field of cloud environment and firewalls, and relates to a firewall based on intrusion detection system feedback in the cloud environment and an implementation method thereof.
background
With the rapid development of cloud computing, more and more cloud computing companies begin to pay attention to the importance of cloud security. As part of cloud security, "how to defend against attacks from the internet" is becoming a hotspot. In discussing this topic, we need to establish a system to monitor the network traffic through the physical network card, analyze it, and classify different types of network protocols. Through the IDS feedback, the firewall rules are updated. With the help of IDS, the effectiveness of firewalls becomes better. The cloud system architecture consists of five parts: a consumer, a cloud service provider, a cloud agent, an auditor, and a cloud operator. We will focus on the role of cloud service providers in cloud security. Cloud deployment methods are divided into onsite and offsite. On-site means that the provider and the consumer are on the same network, usually belonging to the same company. Off-site means that the provider and the consumer are in different networks with a certain physical distance and the consumer requests the service remotely.
although the architecture of cloud computing is diverse, as the most basic architecture-infrastructure layer, users connect to cloud services through a network to achieve access to the cloud services, which is the main service mode of the cloud services. Attacks are classified into a variety of intermediate ways, including internal attacks and external attacks. In the present invention, external attacks are discussed. Among external attacks, the most decentralised are denial of access attacks. Since Cloud Service Providers (CSPs) typically have large bandwidth capacities, conventional distributed denial of access attack approaches are not useful due to DDoS attacks. The principle is that various systems are used for simultaneously sending data or service requests to a target system so as to know that the target system cannot respond to the requests and even crashes; thereby achieving the purpose of attack. However, we have seen that there are many other ways to deny access to a target system located in a cloud platform.
typically, cloud services are services built on virtual machines. The virtual device is virtualized for multiplexing purposes. The essence of the cloud platform is to virtualize physical computing resources and then allocate the virtualized computing resources as needed; therefore, the idle of physical resources is reduced, and the utilization rate of the resources is improved. A kernel-based virtual machine (KVM) virtualizes underlying hardware resources. For example, all virtual machines on the cloud platform share a physical Network Interface Controller (NIC). Then, data traffic on all cloud platforms flows through the physical network card. The monitoring of the NIC can realize the monitoring of the network traffic in the cloud platform. If cloud security detection is to be implemented, the network card of the physical device may be intercepted.
Contradiction in IDS layout: on the one hand, direct checking of the state of the monitored system provides better visibility, increases the range of analyzable events, reduces the risk of falsely checking the state of the system, reduces the number of unmonitored attacks, and makes escape more difficult with high visibility. On the other hand, increasing the visibility of the IDS by the target system is usually at the cost of a weaker isolation between IDS and attacker. This increases the risk of directly attacking the IDS.
There are two types of intrusion detection systems, one being a host-based intrusion detection system (HIDS) and the other being a Network Intrusion Detection System (NIDS). NIDS is the key point of this system, and for the characteristics of the cloud architecture, by multiplexing of the physical network card, it is only necessary to monitor it and analyze the network traffic that is attacked by it. Furthermore, to highlight the importance of firewalls, IDS monitoring data is analyzed and automatically added to the firewall's defense policies.
This trade-off is more pronounced when comparing the dominant IDS architectures: network-based intrusion detection systems (NIDS) offer high attack immunity at the expense of visibility, and host-based intrusion detection systems (HIDS) offer high visibility but sacrifice attacks. The excellent visibility provided by the host-based architecture has led to the development of a variety of effective techniques to detect the effects of attackers, from complex systems known as trace analysis to integrity checks and log files.
HIDS is a host-based intrusion detection system that can be integrated into its monitored host as an application or as part of the operating system, thereby providing high visibility. The superior visibility provided by the host-based architecture enables the development of a variety of efficient techniques to detect the impact of an attacker, from sophisticated system call trace analysis to integrity checking and log file analysis. NIDS lead to visibility of network-based intrusion detection systems and are significantly reduced, unable to monitor internal host states or events, and must collect all information from network traffic going in and out of the host. Limited visibility provides an attacker with more room to manipulate IDS monitoring, who can also purposefully tailor network traffic so that its impact on the host is difficult to infer or infer. NIDS have the advantage of maintaining visibility even if the host is compromised.
disclosure of Invention
In order to solve the problems, the invention discloses a firewall based on intrusion detection system feedback in a cloud environment and an implementation method thereof.
In order to achieve the purpose, the invention provides the following technical scheme:
a firewall based on intrusion detection system feedback in cloud environment comprises a firewall part and an IDS part; the firewall part filters network data for the first time according to a filtering rule; the IDS section further filters data passing through the firewall, screening based on IDS filtering rules; the filtering strategy of the firewall part is updated through the feedback information of the IDS part in the system.
Further, the firewall part functions as follows:
Firstly, a packet filtering firewall is used in a system, and a data packet is selected in a network layer; the selection is based on the filtering logic set in the system, called an access control table; determining whether to allow the data packet to pass through by checking a source address and a destination address, a port number and a protocol state used, or a combination thereof, of each data packet in the data stream;
in subsequent feedback from the IDS to the firewall, the access control list is updated; undetected packets are filtered by the IDS and threat packets detected by the IDS; the original address and the destination address of the data packet, the used port number, the protocol state and other information are fed back to the firewall; the firewall writes the feedback information into the filtering rule and changes the access control list to achieve the purpose of updating the access control;
The firewall prevents attacks as follows:
the firewall inquires filtering logic set in the system, detects the source IP address, the destination IP address, the port number and the protocol type of the data packet, and matches the filtering logic; if the matching item exists, directly discarding; if not, accepting;
The firewall update policy is as follows:
the filtering rule is composed of a configuration file, and the filtering rule can be changed by setting the configuration file; it is mainly communicated with the query module and the IDS, and is communicated with the query module to realize filtering, and filtering rule updating is realized through IDS communication.
further, the IDS section is implemented with Snort open source items, including a local rule base and an online real-time rule base; the local rule base is compiled according to a specific cloud service type, and different filtering rules are specified for different protocols; the online rule base is maintained by the Snort open source project team and updated to the latest filter rule.
Further, the IDS implementation includes two parts: snort and barnyard; the Snort is responsible for sniffing and data analysis, and the Barnyard is responsible for storing warning information of sniffing; the warning information is stored in MySQL;
The data analysis function includes the following processes:
Filtering a packet for a specific cloud service monitored by the IDS by configuring a local rule file of Snort, wherein an online rule base is matched with a latest rule base; the method comprises the steps of analyzing and recording an IP network data packet through real-time data flow, analyzing a protocol, matching network data packet contents, detecting various attack modes and giving an alarm for the attack in real time.
The IDS update rule is as follows:
The rule update communicates with the firewall and provides feedback of firewall filtering rules in time, and Guardian implements the change of firewall filtering mechanism, access control list update and IP address release.
Further, the Snort includes the following software modules:
the data packet sniffing module is used for monitoring network data packets and analyzing the network;
The preprocessing module is used for checking the original data packet by using a corresponding plug-in, preprocessing the original data packet and reading data packet information;
A detection module for checking the data packets according to the rules after they are sent from the pre-processor and notifying the alarm module once a data match is found.
And the alarm module is used for outputting the data to MySQL after the detection module detects the data.
Further, the Guardian operation steps are as follows:
(1) Pl. execution document of Guardian
(2) guardian blocks external program scripts/iptelbes _ block to be called by IP
(3) And when the Guardian releases the blocking of a certain IP, calling the external program scripts/iptelbes _ unblock.
the invention also provides a method for realizing the firewall based on the feedback of the intrusion detection system in the cloud environment, which comprises the following steps:
step one, starting a firewall of the KVM in an installation stage, initializing a firewall configuration file, installing Snort on the virtual machine, and configuring the Snort, wherein the configuration comprises downloading of an online rule base and installation configuration of a database;
Adding a database MySQL;
step two, in the operation phase, the IDS based on Snort downloads the online rule base to the local and combines the local rule base for filtering;
The specific operation comprises the following steps:
the network data packet filtered by the firewall is packaged into a Snort data packet through repackaging of Snort, so that the Snort can conveniently disassemble the data packet, and the rule is utilized to match the data packet for real-time analysis;
after intercepting the network threat, the IDS annotates relevant items of output database, sets log output into a MySQL database, establishes a Snort database in the MySQL database and establishes a Snort user to manage the database;
And step three, finishing detection by stopping the IDS running process.
further, the Snort operation modes include three types, which correspond to different control modes and specifically include:
Mode 1: sniffer
Mode 2: packet loader
Mode 3: network interrupt detection system.
the sniffer mode simply captures data packets from the network and displays the data packets on the terminal; the packet loader mode can store the data packet in a disk; network intrusion detection enables Snort to analyze network traffic and react according to user-defined rules.
further, the IDS uses mode 3.
Compared with the prior art, the invention has the following advantages and beneficial effects:
the IDS is interlocked with the firewall, so that the attack defense is divided into two parts, and the defense work is naturally divided into two parts. The firewall part is used for coarse-grained defense, the IDS part is used for fine-grained analysis of grouping information, double-layer defense is more effective and accurate, defense attack is separated from the cloud service server, the quality of cloud service is not influenced, and response delay of the cloud service is reduced; the IDS-based feedback change rule is adopted, so that the attack can be flexibly detected.
Drawings
Fig. 1 is an architecture diagram in a cloud environment.
fig. 2 is a specific virtual machine firewall architecture diagram.
Detailed Description
The technical solutions provided by the present invention will be described in detail below with reference to specific examples, and it should be understood that the following specific embodiments are only illustrative of the present invention and are not intended to limit the scope of the present invention. Additionally, the steps illustrated in the flow charts of the figures may be performed in a computer system such as a set of computer-executable instructions and, although a logical order is illustrated in the flow charts, in some cases, the steps illustrated or described may be performed in an order different than here.
The research of virtualization monitoring is many and is divided into two categories: the method comprises internal monitoring and external monitoring, and firewall design based on feedback of an intrusion detection system in a cloud environment mainly aims at external monitoring and blocking attack of an external network on an internal cloud platform.
Internal monitoring is a non-transparent monitoring method due to the isolation of virtual machines. Internal monitoring involves the operating system level, and some secondary monitoring modules need to be implanted, which have requirements on the monitored system. For cloud platforms, there is no universal approach. In a system for deploying internal monitoring, a monitoring system is usually deployed in a management domain, and the security of the monitoring system is ensured by using the isolation of a virtualization technology. For the purpose of monitoring the target system, an event capture module is implanted in the target system. The operation to be monitored is monitored. The advantage of internal monitoring is that it can be related to a specific target system and can use the semantics of the target system. The overhead of the monitoring process is low. It is also disadvantageous in that the tight coupling between the monitoring system and the target system makes the monitoring process opaque and also not versatile in monitoring deployment. The other is external monitoring, which is also the monitoring method used by the present invention. External monitoring is a transparent monitoring method. It is also an isolation mechanism using virtual machines. The target system does not need to be modified inside the virtual machine outside the monitoring virtual machine. The manner in which the monitoring method is deployed in the system, as well as some variations, is outlined further below.
The whole environment framework of the invention is shown in figure 1, the firewall system framework is shown in figure 2, and the firewall system framework is divided into two parts: one part is the firewall section and the other part is the IDS section. In the firewall portion, network data is first filtered according to a filtering rule. The IDS section further filters data passing through the firewall, the screening based on IDS filtering rules. Wherein, the filtering strategy of the firewall is updated through the feedback information of the IDS part in the system.
In the architecture of the present invention, the overall architecture of the firewall is unchanged. It is divided into two parts: interception attacks and security policy updates. In intercepting attacks, similar to a conventional firewall, network traffic is filtered according to a firewall profile, packets are filtered, and it is determined whether the packets meet the rules, which it passes, and if so, it is discarded from mismatch.
In the security policy update section, the firewall filter rules are repaired in the initial state of the system. In the present invention, unlike conventional firewall filtering rules, it is dynamically changing. Through the feedback of the IDS, more efficient filtering is achieved.
the IDS section is implemented with Snort open source items, which include a local rule base and an online real-time rule base.
(1) The local rule base is written according to a specific cloud service type. Different filtering rules are specified for different protocols, such as ICMP protocol filtering for DDoS.
(2) the online rule base is maintained by the Snort open source project team and updated with the latest filter rules.
The IDS part is the focus of the system, which enables attack monitoring and data feedback. IDS includes Snort, barnyard, and MySQL, where Snort enables attack monitoring and stores attack records in MySQL by barnyard.
intrusion detection systems are an active defense protection system that originally emerged as a traditional network monitoring tool. With the rapid development of cloud computing, it is used in the field of cloud service security. For a large cloud service system, it can monitor network traffic flowing into the cloud even if abnormal traffic is detected and even if an early warning is issued. It is different from a firewall. The flow monitoring device is a monitoring device and can monitor flow data in real time and give an alarm.
Unlike a general IDS, in the present invention, the IDS incorporates the firewall's defense function. By interlocking with the firewall implementation, the attack defense is divided into two parts, and the defense work is naturally divided into two parts. The firewall part is used for coarse grain defense, and the IDS part is used for fine grain analysis of packet information. The IDS has the advantages that double-layer defense is more effective and accurate, defense attack is separated from the cloud service server, the quality of cloud service is not influenced, and response delay of the cloud service is reduced.
the IDS of the present invention is based on Snort, which is the core of an excellent IDS, which grabs data on the IP layer for analysis, sniffs packets of various formats, and reassembles according to its own rules. Although Snort is not perfect in function, it has the advantage that it can work in conjunction with many security components to fulfill the various requirements of security monitoring, and in addition, in conjunction with a database, can persist the results of exception handling.
snort mainly comprises the following three types of preprocessors:
1) A package recombination preprocessor:
2) Protocol normalization preprocessor:
3) An anomaly detection preprocessor:
Snort uses a simple rule description language, is easy to expand and is powerful. Snort rules are text based and the rule files are classified according to different groups. Rule contains FTP attack content, for example. Each rule of Snort may be divided into two logical parts: a rule header and a rule body. The rule head consists of four parts: rule behavior, protocol, source information, and destination information.
the role of the rule body is to further analyze the rule header information and can be used to validate complex attacks. There is no regular body in the rule definition of Snort. The rule body is composed of several separate segments, each defining an option and a corresponding option value.
The system specifically comprises:
1) Fire wall
As a first level of defense for the system, firewalls play a crucial role in subsequent IDS filtering. First, a packet filtering firewall is used in the system and packets are selected at the network layer. The selection is based on filtering logic set in the system, called an Access Control List (ACL). Whether to allow the packet to pass through is determined by examining the source and destination addresses, the port numbers and protocol states used, or a combination thereof, of each packet in the data flow.
In subsequent feedback from the IDS to the firewall, the access control list is updated because the firewall cannot defend against all attacks. Undetected packets are filtered by the IDS and threat packets detected by the IDS. And the original address and the destination address of the data packet, the used port number, the protocol state and other information are fed back to the firewall. The firewall writes the feedback information into the filtering rule and changes the access control list to achieve the purpose of updating the access control.
Prevention of attacks
The firewall inquires filtering logic set in the system, detects the source IP address, the destination IP address, the port number and the protocol type of the data packet, and matches the filtering logic. If the matching item exists, directly discarding; if not, then accept.
Update policy
The filtering rules are the main basis for firewall filtering. It is usually composed of a configuration file. The setting profile may alter the filtering rules. It is mainly communicated with the query module and the IDS, and is communicated with the query module to realize filtering, and filtering rule updating is realized through IDS communication.
2) Intrusion detection system
IDS is an important component of the overall system and also an important factor in achieving accurate attack defense. The IDS in this system is built based on the open source item Snort. In an IDS, there are mainly two rule bases, one is a locally configured rule base and the other is an online rule base. The local rule base is intended to adapt to a particular cloud service and varies from cloud service to cloud service; the online rule base is real-time, synchronized with the latest attack prevention information. Through the two rule bases, the user can effectively resist attacks from external networks.
The implementation of IDS is mainly implemented by two parts: snort and barnyard. Snort is responsible for sniffing and analyzing packets.
Barnyard is responsible for storing sniffed warning messages. In this system, the warning information is stored in MySQL. The data protection of the process of obtaining evidence by analyzing and processing the safe work is convenient.
Analysis of data
The data packet is mainly realized by Snort. Rule files of Snort are configured to realize packet filtering for specific cloud services monitored by the IDS, and an online rule base is matched with the latest rule base. The method comprises the steps of analyzing and recording an IP network data packet through real-time data flow, analyzing a protocol, matching network data packet contents, detecting various attack modes and giving an alarm for the attack in real time.
Snort's architecture is as follows:
the data packet sniffing module is mainly responsible for monitoring network data packets and analyzing the data packets according to a TCP/IP protocol.
Preprocessing module, which uses corresponding plug-in to check the original data packet, preprocess the original data packet, and easily read the information of the data packet, such as IP address, port, etc. Specifically, the method comprises the following steps: 1. the packet recombination preprocessor is used for preventing attack information from being split into a plurality of packets and avoiding the detection of Snort; 2. protocol code preprocessor, its function is to decode the data packet protocol into a uniform format, and then transmit to the detection module; 3. a protocol anomaly detection preprocessor.
Checking engine module, which is the core module of Snort. When the preprocessor sends the data packets, the detection engine matches the data packets with the detection rules in the form of the three-dimensional linked list, and once the content in the data packets is matched with a certain rule, the preprocessor informs the alarm module.
And fourthly, an alarm/log module, namely after the detection engine checks and transmits the data packet to the alarm module, the alarm module performs different processing (database and log) on the data packet according to rule definition (alert and log), and outputs the data to MySQL.
since the decoding module and the preprocessing module are similar in function and both process the data packet before the rule detection engine, both modules are introduced together. The decoding module is mainly used for decoding the original network data packet captured from the monitoring network from bottom to top according to each network protocol stack, storing the decoded data in each corresponding data structure and finally handing the decoded data to the preprocessing module for processing.
The decoded data packet can be subjected to rule matching by the main detection engine after being preprocessed. The preprocessor is mainly used to cope with some IDS attack means. The method has the following functions:
(1) the package is checked or modified for suspicious behavior so that the probe engine can interpret it correctly.
(2) It is responsible for normalizing the flow so that the probe engine can match features exactly.
Update rules
The rule updates communicate with the firewall and in time provide feedback on the firewall filtering rules, thereby enabling the firewall to more effectively defend against attacks. Guardian implements changes to firewall filtering mechanisms, access control list updates, and IP address release.
·Guardian
in the above, we refer to firewall upgrade, which is implemented by Guardian, and it is a security procedure used with Snort. It has more alerts generated by Snort, as well as statistics, and automatically updates firewall rules. In Snort, we have previously discussed the alarm problem. The Guardian may feed back the IP address generating the alert to the firewall. Intercepting all flow data from the IP by the updated firewall rule through the ACL; in addition, there is some logic that can block important machines such as DNS servers, gateways and anything you want. The specific operation steps are as follows:
(1) Pl. execution document of Guardian
(2) Guardian blocks external program scripts/iptelbes _ block to be called by IP
(3) And when the Guardian releases the blocking of a certain IP, the script/iptalbes _ unblock of the external program which needs to be called
the specific steps of the system deployment are as follows:
Step one, starting a firewall of the KVM in an installation stage, initializing a firewall configuration file including ACL and the like, installing Snort on the virtual machine, and configuring the Snort, including downloading an online rule base and installing and configuring a database.
In order to store the alarm information, a database MySQL is added in the system and is also a basis for issuing the alarm information to a base page.
and step two, in the operation stage, the IDS based on Snort downloads the online rule base to the local and performs filtering by combining with the locally configured local rule base.
The specific operation is that the network data packet after the firewall filtering is packaged into a Snort data packet through the repackaging of Snort, so that the Snort can conveniently disassemble the data packet, analyze the network protocol and react.
Snort's rule model example:
alert tcp 202.110.8.1any->122.111.90.880(msg:”Web Access”;sid:1)
Alert: indicating that if this rule is triggered, an alarm is given
Tcp: type of protocol
Ip address: source/destination IP address
Any/80: port number
- >: directional operators, and also < > bi-directional.
Msg: printing messages in alerts and packet logs
sid: snort rule id …
The rule is easy to understand in literal meaning. Snort is a Network Intrusion Detection/Prevention System (Network Intrusion Detection/Prevention System), namely NIDS/NIPS, which uses rules to match data packets for real-time traffic analysis and Network data packet recording.
After the IDS intercepts the network threat, the IDS sets the log output into the MySQL database by annotating the relevant items of the output database, establishes a Snort database in the MySQL database and establishes a Snort user to manage the database.
and step three, stopping the IDS running process to finish detection.
Snort, the most important part of the system, is responsible for interception and early warning. In this system Snort operates in intrusion detection mode. We can let Snort analyze the network data flow to match some user defined rules and take some action based on the detection result.
the IDS is used as the core of the system, and the Snort operation modes are divided into three types, including 3 different operation modes, corresponding to different control modes, specifically including:
mode 1: sniffer
mode 2: packet loader
Mode 3: network interrupt detection system.
the sniffer mode is only used for simply grabbing data packets from a network and displaying the data packets on a terminal; the packet loader mode can store the data packet in a disk; the network interrupt detection mode is the most complex with high configurability. It may cause Snort to analyze network traffic and react according to user-defined rules. Mode 3 is used in the system, and richer detection modes can be realized.
Our experiments were performed on an Array platform for building a virtual machine system based on CentOS-7-x86_ 64-minimum-1511. The experimental tool is Snort-2.9.9.0, which is used for monitoring the attack behavior; barnyard2-1.9 is a data storage means; MySQL stores Snort alerts as a database. DDoS attacks are launched by different hosts and recorded in a database, and the performance of the system is evaluated by analyzing data.
the technical means disclosed in the invention scheme are not limited to the technical means disclosed in the above embodiments, but also include the technical scheme formed by any combination of the above technical features. It should be noted that those skilled in the art can make various improvements and modifications without departing from the principle of the present invention, and such improvements and modifications are also considered to be within the scope of the present invention.
Claims (9)
1. A firewall based on intrusion detection system feedback under cloud environment, its characterized in that: including a firewall portion and an IDS portion; the firewall part filters network data for the first time according to a filtering rule; the IDS section further filters data passing through the firewall, screening based on IDS filtering rules; the filtering strategy of the firewall part is updated through the feedback information of the IDS part in the system.
2. The firewall based on feedback of intrusion detection system in cloud environment of claim 1, wherein: the firewall part functions as follows:
Firstly, a packet filtering firewall is used in a system, and a data packet is selected in a network layer; the selection is based on the filtering logic set in the system, called an access control table; determining whether to allow the data packet to pass through by checking a source address and a destination address, a port number and a protocol state used, or a combination thereof, of each data packet in the data stream;
In subsequent feedback from the IDS to the firewall, the access control list is updated; undetected packets are filtered by the IDS and threat packets detected by the IDS; the original address and the destination address of the data packet, the used port number, the protocol state and other information are fed back to the firewall; the firewall writes the feedback information into the filtering rule and changes the access control list to achieve the purpose of updating the access control;
the firewall prevents attacks as follows:
the firewall inquires filtering logic set in the system, detects the source IP address, the destination IP address, the port number and the protocol type of the data packet, and matches the filtering logic; if the matching item exists, directly discarding; if not, accepting;
The firewall update policy is as follows:
The filtering rule is composed of a configuration file, and the filtering rule can be changed by setting the configuration file; it is mainly communicated with the query module and the IDS, and is communicated with the query module to realize filtering, and filtering rule updating is realized through IDS communication.
3. The firewall based on feedback of intrusion detection system in cloud environment of claim 1, wherein: the IDS section is implemented with Snort open source items, which include a local rule base and an online real-time rule base; the local rule base is compiled according to a specific cloud service type, and different filtering rules are specified for different protocols; the online rule base is maintained by the Snort open source project team and updated to the latest filter rule.
4. The firewall based on feedback of intrusion detection system in cloud environment of claim 3, wherein: the implementation of the IDS includes two parts: snort and barnyard; the Snort is responsible for sniffing and data analysis, and the Barnyard is responsible for storing warning information of sniffing; the warning information is stored in MySQL;
The data analysis function includes the following processes:
Filtering a packet for a specific cloud service monitored by the IDS by configuring a local rule file of Snort, wherein an online rule base is matched with a latest rule base; analyzing and recording IP network data packets through real-time data flow, performing protocol analysis, matching network data packet contents, detecting various attack modes, and performing real-time warning on attacks;
The IDS update rule is as follows:
The rule update communicates with the firewall and provides feedback of firewall filtering rules in time, and Guardian implements the change of firewall filtering mechanism, access control list update and IP address release.
5. the firewall based on feedback of intrusion detection system in cloud environment of claim 4, wherein: the Snort includes the following software modules:
The data packet sniffing module is used for monitoring network data packets and analyzing the network;
The preprocessing module is used for checking the original data packet by using a corresponding plug-in, preprocessing the original data packet and reading data packet information;
a detection module for checking the data packets according to the rules after they are sent from the pre-processor and notifying the alarm module once a data match is found.
and the alarm module is used for outputting the data to MySQL after the detection module detects the data.
6. the firewall based on feedback of intrusion detection system in cloud environment of claim 4, wherein: the Guardian operation steps are as follows:
(1) Pl. execution document of Guardian
(2) guardian blocks external program scripts/iptelbes _ block to be called by IP
(3) and when the Guardian releases the blocking of a certain IP, calling the external program scripts/iptelbes _ unblock.
7. A method for realizing a firewall based on intrusion detection system feedback in a cloud environment is characterized by comprising the following steps:
Step one, starting a firewall of the KVM in an installation stage, initializing a firewall configuration file, installing Snort on the virtual machine, and configuring the Snort, wherein the configuration comprises downloading of an online rule base and installation configuration of a database;
adding a database MySQL;
Step two, in the operation phase, the IDS based on Snort downloads the online rule base to the local and combines the local rule base for filtering;
The specific operation comprises the following steps:
The network data packet filtered by the firewall is packaged into a Snort data packet through repackaging of Snort, so that the Snort can conveniently disassemble the data packet, and the rule is utilized to match the data packet for real-time analysis;
After intercepting the network threat, the IDS annotates relevant items of output database, sets log output into a MySQL database, establishes a Snort database in the MySQL database and establishes a Snort user to manage the database;
And step three, finishing detection by stopping the IDS running process.
8. The method of claim 7, wherein the Snort modes include three modes corresponding to different control modes, and the method specifically includes:
Mode 1: sniffer
mode 2: packet loader
mode 3: network interrupt detection system.
the sniffer mode simply captures data packets from the network and displays the data packets on the terminal; the packet loader mode can store the data packet in a disk; network intrusion detection enables Snort to analyze network traffic and react according to user-defined rules.
9. The method for implementing a firewall based on intrusion detection system feedback in a cloud environment according to claim 8, wherein: the IDS uses mode 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910903978.1A CN110572412A (en) | 2019-09-24 | 2019-09-24 | Firewall based on intrusion detection system feedback in cloud environment and implementation method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910903978.1A CN110572412A (en) | 2019-09-24 | 2019-09-24 | Firewall based on intrusion detection system feedback in cloud environment and implementation method thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110572412A true CN110572412A (en) | 2019-12-13 |
Family
ID=68782162
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910903978.1A Pending CN110572412A (en) | 2019-09-24 | 2019-09-24 | Firewall based on intrusion detection system feedback in cloud environment and implementation method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110572412A (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111431864A (en) * | 2020-02-28 | 2020-07-17 | 深圳开源互联网安全技术有限公司 | Internet of vehicles monitoring system, method and device and readable storage medium |
| CN111669371A (en) * | 2020-05-18 | 2020-09-15 | 深圳供电局有限公司 | Network attack restoration system and method suitable for power network |
| CN111726364A (en) * | 2020-06-29 | 2020-09-29 | 浙江军盾信息科技有限公司 | Host intrusion prevention method, system and related device |
| CN112118248A (en) * | 2020-09-11 | 2020-12-22 | 苏州浪潮智能科技有限公司 | Method and device for detecting abnormal flow of cloud platform virtual machine, virtual machine and system |
| CN112995174A (en) * | 2021-02-24 | 2021-06-18 | 紫光云技术有限公司 | Intrusion prevention system based on snort |
| CN113014571A (en) * | 2021-02-22 | 2021-06-22 | 腾讯科技(深圳)有限公司 | Method, device and storage medium for processing access request |
| CN114079576A (en) * | 2020-08-18 | 2022-02-22 | 奇安信科技集团股份有限公司 | Security defense method, security defense device, electronic apparatus, and medium |
| WO2022100002A1 (en) * | 2020-11-10 | 2022-05-19 | 华为技术有限公司 | Network security protection method and device |
| CN114553448A (en) * | 2020-11-18 | 2022-05-27 | 上海汽车集团股份有限公司 | Vehicle-mounted network information safety system |
| CN114900347A (en) * | 2022-04-28 | 2022-08-12 | 重庆长安汽车股份有限公司 | Ethernet-based intrusion detection method and data packet distribution method |
| WO2023184303A1 (en) * | 2022-03-31 | 2023-10-05 | 华为技术有限公司 | Security inspection method and apparatus, and vehicle |
| GB2621629A (en) * | 2022-08-19 | 2024-02-21 | British Telecomm | Intrusion prevention system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101299760A (en) * | 2008-05-28 | 2008-11-05 | 北京星网锐捷网络技术有限公司 | Information safety processing method and system, communication equipment |
| CN101610264A (en) * | 2009-07-24 | 2009-12-23 | 深圳市永达电子股份有限公司 | The management method of a kind of firewall system, safety service platform and firewall system |
| CN101714990A (en) * | 2009-10-30 | 2010-05-26 | 清华大学 | Network security safeguarding integrated system and control method thereof |
| CN102111420A (en) * | 2011-03-16 | 2011-06-29 | 上海电机学院 | Intelligent NIPS framework based on dynamic cloud/fire wall linkage |
| CN102164129A (en) * | 2011-03-19 | 2011-08-24 | 东北电力大学 | Linkage method for firewall and intrusion-detection system |
| CN104660554A (en) * | 2013-11-19 | 2015-05-27 | 北京天地超云科技有限公司 | Method for implementing communication data security of virtual machines |
-
2019
- 2019-09-24 CN CN201910903978.1A patent/CN110572412A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101299760A (en) * | 2008-05-28 | 2008-11-05 | 北京星网锐捷网络技术有限公司 | Information safety processing method and system, communication equipment |
| CN101610264A (en) * | 2009-07-24 | 2009-12-23 | 深圳市永达电子股份有限公司 | The management method of a kind of firewall system, safety service platform and firewall system |
| CN101714990A (en) * | 2009-10-30 | 2010-05-26 | 清华大学 | Network security safeguarding integrated system and control method thereof |
| CN102111420A (en) * | 2011-03-16 | 2011-06-29 | 上海电机学院 | Intelligent NIPS framework based on dynamic cloud/fire wall linkage |
| CN102164129A (en) * | 2011-03-19 | 2011-08-24 | 东北电力大学 | Linkage method for firewall and intrusion-detection system |
| CN104660554A (en) * | 2013-11-19 | 2015-05-27 | 北京天地超云科技有限公司 | Method for implementing communication data security of virtual machines |
Non-Patent Citations (4)
| Title |
|---|
| 张晶: "防火墙中嵌入式入侵检测方法的研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
| 杜敏: "结合入侵检测机制的Netfilter防火墙的研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
| 杨光明子: "基于入侵检测的APT防御平台的设计与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
| 蔺德军: "关于IDS和防火墙有机整合的探讨", 《青岛大学学报(工程技术版)》 * |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111431864A (en) * | 2020-02-28 | 2020-07-17 | 深圳开源互联网安全技术有限公司 | Internet of vehicles monitoring system, method and device and readable storage medium |
| CN111669371A (en) * | 2020-05-18 | 2020-09-15 | 深圳供电局有限公司 | Network attack restoration system and method suitable for power network |
| CN111669371B (en) * | 2020-05-18 | 2022-09-30 | 深圳供电局有限公司 | Network attack restoration system and method suitable for power network |
| CN111726364A (en) * | 2020-06-29 | 2020-09-29 | 浙江军盾信息科技有限公司 | Host intrusion prevention method, system and related device |
| CN111726364B (en) * | 2020-06-29 | 2023-04-07 | 杭州安恒信息安全技术有限公司 | Host intrusion prevention method, system and related device |
| CN114079576A (en) * | 2020-08-18 | 2022-02-22 | 奇安信科技集团股份有限公司 | Security defense method, security defense device, electronic apparatus, and medium |
| CN112118248A (en) * | 2020-09-11 | 2020-12-22 | 苏州浪潮智能科技有限公司 | Method and device for detecting abnormal flow of cloud platform virtual machine, virtual machine and system |
| CN112118248B (en) * | 2020-09-11 | 2022-06-14 | 苏州浪潮智能科技有限公司 | Cloud platform virtual machine abnormal flow detection method and device, virtual machine and system |
| WO2022100002A1 (en) * | 2020-11-10 | 2022-05-19 | 华为技术有限公司 | Network security protection method and device |
| CN114553448A (en) * | 2020-11-18 | 2022-05-27 | 上海汽车集团股份有限公司 | Vehicle-mounted network information safety system |
| CN113014571B (en) * | 2021-02-22 | 2022-03-25 | 腾讯科技(深圳)有限公司 | Method, device and storage medium for processing access request |
| CN113014571A (en) * | 2021-02-22 | 2021-06-22 | 腾讯科技(深圳)有限公司 | Method, device and storage medium for processing access request |
| CN112995174A (en) * | 2021-02-24 | 2021-06-18 | 紫光云技术有限公司 | Intrusion prevention system based on snort |
| WO2023184303A1 (en) * | 2022-03-31 | 2023-10-05 | 华为技术有限公司 | Security inspection method and apparatus, and vehicle |
| CN114900347A (en) * | 2022-04-28 | 2022-08-12 | 重庆长安汽车股份有限公司 | Ethernet-based intrusion detection method and data packet distribution method |
| CN114900347B (en) * | 2022-04-28 | 2023-04-14 | 重庆长安汽车股份有限公司 | Ethernet-based intrusion detection method and data packet distribution method |
| GB2621629A (en) * | 2022-08-19 | 2024-02-21 | British Telecomm | Intrusion prevention system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110572412A (en) | Firewall based on intrusion detection system feedback in cloud environment and implementation method thereof | |
| Wang et al. | Intrusion prevention system design | |
| Corona et al. | Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues | |
| CN101465770B (en) | Method for disposing inbreak detection system | |
| US7493659B1 (en) | Network intrusion detection and analysis system and method | |
| JP3968724B2 (en) | Network security system and operation method thereof | |
| EP2106085B1 (en) | System and method for securing a network from zero-day vulnerability exploits | |
| US20070266433A1 (en) | System and Method for Securing Information in a Virtual Computing Environment | |
| CN100435513C (en) | Method of linking network equipment and invading detection system | |
| CN112788034B (en) | Processing method and device for resisting network attack, electronic equipment and storage medium | |
| US11909761B2 (en) | Mitigating malware impact by utilizing sandbox insights | |
| CN112398844A (en) | Flow analysis implementation method based on internal and external network real-time drainage data | |
| Ma et al. | A design of firewall based on feedback of intrusion detection system in cloud environment | |
| CN102624721B (en) | Feature code verification platform system and feature code verification method | |
| Sequeira | Intrusion prevention systems: security's silver bullet? | |
| Krishnan et al. | An adaptive distributed intrusion detection system for cloud computing framework | |
| CN111464526A (en) | Network intrusion detection method, device, equipment and readable storage medium | |
| KR101768079B1 (en) | System and method for improvement invasion detection | |
| CN111131168A (en) | Self-adaptive protection method based on Web application | |
| KR101767591B1 (en) | System and method for improvement invasion detection | |
| Dressler et al. | Flow-based worm detection using correlated honeypot logs | |
| JP7172104B2 (en) | NETWORK MONITORING DEVICE, NETWORK MONITORING PROGRAM AND NETWORK MONITORING METHOD | |
| Li-Juan | Honeypot-based defense system research and design | |
| Araújo et al. | EICIDS-elastic and internal cloud-based detection system | |
| Jayan et al. | Sys-log classifier for complex event processing system in network security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191213 |